Who is ISO/IEC 42001 certified?
- Publicly verified as of July 2026: Anthropic, AWS, Snowflake, Salesforce, ServiceNow, CrowdStrike, Harvey.
- Every name was verified against a public trust-centre listing, press release or certification-body register before publishing here.
- Once the largest providers hold it, procurement treats absence as an anomaly, not a neutral state.
- Certification is a signal about governance, not about any specific product's safety.
- This list changes as more organisations certify — treat the dateline seriously.
- General information, not legal advice. Current as of July 2026.
The public list, verified
The following organisations are publicly verified ISO/IEC 42001 certified as of July 2026:
- Anthropic — publicly announced.
- Amazon Web Services (AWS) — publicly announced; AWS was among the earliest large hyperscalers to certify.
- Snowflake — publicly announced.
- Salesforce — publicly announced.
- ServiceNow — publicly announced.
- CrowdStrike — publicly announced.
- Harvey — publicly announced; the first widely-cited legal AI provider to certify.
Each name was verified against a public trust-centre listing, press release or certification-body register before publication. Any name that could not be independently verified was dropped rather than included on trust.
Why the largest providers certified early
For hyperscalers and enterprise AI platforms, ISO/IEC 42001 is a low-cost, high-leverage move. The management-system machinery already exists (they hold ISO 27001, 9001 and typically SOC 2). The certificate closes a fast-growing procurement question with a single artefact. And being on the certified list early sets the market's expectation baseline — one their sales teams reference in every enterprise conversation.
What that does to the market
Once buyers know the largest AI providers are certified, the absence of a certificate on a smaller vendor becomes something to explain rather than a neutral state. In practice this means a growing share of vendor questionnaires now ask either 'do you hold ISO/IEC 42001?' or 'when will you?', and 'we're evaluating it' has stopped clearing that gate in a lot of accounts.
What the certificate does — and doesn't — mean
The certificate is an attestation about governance, not about any particular product being safe or lawful. A certified organisation still needs product-level conformity for high-risk EU AI Act systems, still owes a DPIA where personal data is processed at scale, still owes sector-specific evidence where relevant. The certificate is powerful because it answers one commonly-asked question decisively — not because it answers every question.
Keeping the list current
This list will change quickly. The July 2026 dateline reflects the point at which each entry was independently verified. Certified organisations should appear on their own trust centre; the accredited certification body maintains a public register you can cross-check any specific claim against.
Key terms
- Trust centre
- A dedicated public page on a vendor's site listing certifications, attestations and security documentation.
- Certification register
- The public list a certification body maintains of the organisations it has certified and their scopes.